It is a truism that business hates uncertainty. It was therefore no surprise to see bold proclamations regarding the United Kingdom’s planned exit from the European Union, the so-called “Brexit” vote in June.
Such talk may be a bit premature. Buyer’s remorse among some Leave voters sparks a long-shot prospect for a second vote. It also remains to be seen when the U.K. will formalize the split and how the months-long negotiations to do so will unfold. That process could have a tremendous effect on companies that do business throughout Europe.
The message for U.S. companies that do business throughout Europe, to use a very British phrase: Keep calm and carry on.
“This could be much ado about nothing,” says Ashley Craig, co-chair of the law firm Venable’s international trade group. Nevertheless, companies are asking for clarification that no one can give.
“U.S. companies want consistency,” Craig says. “They want some sort of stability, but we are not going to get that right away. In the meantime, they need to be cautious, practical, and monitor what’s going on.”
Amid chatter by bank holding companies that they may relocate to Dublin, Frankfurt, or a number of other countries, Craig suggests not worrying about such a scenario just yet. “A lot of what is going on right now is more rhetoric than reality,” he says, pointing out that it will be hard to leave London, built-up over the past 25 years as one of the world’s international financial hubs.
Craig’s pitch for rationality, however, isn’t meant to mask very real challenges that may be ahead for U.S. firms operating from the United Kingdom.
“U.S. companies want consistency. They want some sort of stability, but we are not going to get that right away. In the meantime, they need to be cautious, practical, and monitor what’s going on.”
Ashley Craig, Co-Chair, International Trade Group, Venable
A key reason many U.S. companies establish in the United Kingdom is its access to other EU and third-country markets through Customs Union and Free Trade Agreements (FTAs), he says. Upon exit, the United Kingdom will likely lose preferential access, and exports of U.S. businesses from the United Kingdom may be subject to duties and other taxes. While the U.K. will likely negotiate an FTA with the European Union, doing so will take time and probably not match the level of preferential access that currently exists. As a result, many U.S. manufacturers currently operating in the United Kingdom may eventually want to establish themselves in other EU Member States.
“The British are going to have to quickly stand up an entire trade authority which they haven’t had to do in generations,” Craig says. “On top of it, they are going to have to go about negotiating multilateral trade agreements around the world. That’s not a slam dunk and it is certainly not something that can be expedited. Practically speaking, it is not going to affect the day-to-day trade flow, but it is a long-term concern.”
Of the financial institutions and insurance companies that currently operate from the U.K., many do so because “passporting” enables them to provide services across the EU. Unless otherwise agreed between the European Union and the United Kingdom, this will no longer be an option after the latter’s exit, Craig says. Firms might then consider leaving the UK as a whole and establishing themselves in other EU countries, such as France, Germany, Ireland or the Netherlands.
Access to human capital is another concern that Craig highlights. Many U.S. companies enjoy access to a large pool of qualified employees from other EU countries, whose citizens are largely free to work without borders and visas. If free travel for workers is restricted, U.S. companies will face a labor and talent shortage unless they maintain both a U.K. and EU presence.
What will be among the more challenging matters for American companies amid a European divorce are issues of data privacy and protection.
Europeans, as evidenced by the difficulty obtaining a comparable compliance regime with U.S. companies, may see their own regulatory regime splintered by a U.K. exit. That doesn’t mean, however, that American enterprises can stop worrying about rigid new data privacy rules that become effective in May 2018, which will affect any company that collects and handles data on citizens of the European Union.
In January the European Parliament and Council of the European Union approved a final draft of the EU General Data Protection Regulation (GDPR). It will replace the current EU Data Protection Directive, enacted in 1995, and impose compliance obligations on any company—even those outside the EU—that offers goods or services to individuals in is Member States, or that monitors their behavior. Companies that don’t meet the new requirements can face fines up to 4 percent of total annual global revenue or €20 million ($21.5 million), whichever is higher. For corporate giants like Apple, Facebook, and Google, fines can potentially amount to billions of dollars.
When the U.K. has to put its own rules in place, do they follow the GDPR or come up with something a little more business-friendly?” Craig asks. “How far does the U.K. go to match the rest of the EU to be deemed adequate? How far do they want to go to match the GDPR?
Despite the Leave vote, “it is vitally important that the controllers and processors of personal data do not fall into the trap of thinking that GDPR no longer matters to them,” says Stewart Room, co-leader of PwC’s Global Privacy Centre of Excellence. “Compliance with the standards of EU data protection law will be a ‘red line’ requirement for the U.K.’s continuing access to the single market.”
While the United Kingdom (always more business-friendly in its approach to data issues) could create its own rules, the GDPR will likely become effective before its split is finalized. If the United Kingdom is still a part of the European Union in May 2018, the new law will apply automatically, exposing non-compliant organizations to a risk of high regulatory fines for non-compliance, as well as new forms of litigation risk.
“It is certainly a possibility that the U.K. will pass legislation to give effect to the GDPR,” Room adds. “Failure to do so will not only lock out the U.K. from the single market, but it will effectively prevent any form of business with the EU where personal data is involved. That would be a disaster for multinationals that operate in both the European Union and the United Kingdom. It would also mean UK citizens would not receive privacy protections and civil liberties equivalent to those on the continent.
Any organization based in the United Kingdom that wants to engage with the EU, whether or not as part of the single market, needs to continue with their preparations for the GDPR, he advises.
“Not only is the GDPR still as relevant as before for American companies with U.K. operations, but the uncertain nature of the U.K.'s adoption of it is an added reason for them to get C-suite visibility into their GDPR implementation roadmaps,” says Jay Cline, co-leader of PwC’s Global Privacy Centre of Excellence. “American companies that are considering changing the headquarters of their EU operations from London to a German city should first perform a complete cost-benefit assessment of how Germany’s stricter approach to data privacy could impact their entire enterprise architecture.”
First there was the U.S.-EU Safe Harbor, then the EU-U.S. Privacy Shield, and now there may be the EU-U.K. Privacy Shield as well, says Aaron Tantleff, a lawyer in the privacy, security and information management practice at Foley & Lardner.
“Shouldn’t the U.K. be subject to the same security with respect to compliance with EU data protections laws, including the upcoming GDPR? The U.K. will now get to experience the same joys as the U.S. in ensuring the protection of the personal data of EU citizens,” he says. “The basic premise of GDPR and the ‘harmonization’ of data protection laws across the entire European Union just went out the window.
“I would be lying if I claimed this to be anything but a fundamental shift of the flow of personal information across Europe,” Tantleff says. “That said, the sky is not falling and Chicken Little has not been hit over the head with bits of data. While there are more questions than answers at the moment, for now the sky remains clear, though I would carry an umbrella just for protection.”
Regardless of what happens, any company, located in the United Kingdom, United States, or elsewhere, that is collecting, processing, or storing personal data of an EU citizen will still have to comply with the laws of the European Union, including GDPR, or will be subject to significant fines, he adds. The unfortunate side effect: “The cost of compliance will go up.”
“At the end of the day you are still trading with the rest of the EU and you are still collecting information on its citizens,” he says.
Efforts to harmonize international financial regulations have also been a long-evolving process, in particular as the U.S. and EU look to realize regulatory adequacy and “substituted compliance” between their derivatives regimes. The U.K. exit could affect that scenario as well.
“From a financial services perspective, the key issue will be whether the U.K. can continue to maintain at least partial access to the EU market for financial services,” says Peter Green, a London-based partner with Morrison Foerster. Various scenarios could unfold as the U.K. strikes out on its own, but it remains to be seen if it remains part of the European Economic Area (EEA) and its free trade agreements.
That participation would preserve the single market for financial services, he says. “The ‘big but’ is that the U.K. would need to continue contributing to the EU budget and accept most of its rules regarding movement across the economic area. Politically, that would seem pretty unlikely. What is more likely is that the U.K. will exit both the EU and the EEA. We will then see some sort of negotiated free trade.”
The effect on U.S. firms based in the United Kingdom that are conducting business across the EU will depend on the nature of how those negations proceed and whether “passporting” is retained. Similarly, the forthcoming Markets in Financial Instruments Directive II, a framework for supervision and oversight of firms providing financial services across the European Union would complicate matters. U.S. companies in the United Kingdom may need to relocate if the United Kingdom’s own regime doesn’t meet its standards for “substituted compliance” across the remaining Member states.
Continue the conversation at Compliance Week Europe: 7-8 November at the Crowne Plaza Brussels. Join us as we look at changes in global anti-corruption regulations, slave labour risks in your supply chain, and how to detect fraud, to name just a few topics. Learn more